Search criteria

2 vulnerabilities by fzf

CVE-2026-53433 (GCVE-0-2026-53433)

Vulnerability from cvelistv5 – Published: 2026-06-30 12:01 – Updated: 2026-06-30 13:32 X_Open Source
VLAI?
Title
Denial of Service in fzf
Summary
fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(n²)). A crafted POST request with many small segments can trigger excessive CPU usage during request handling.This allows a single malicious request to monopolize the single‑threaded HTTP server, blocking all other clients and resulting in denial of service. This issue was fixed in version 0.73.1.
CWE
  • CWE-407 - Inefficient Algorithmic Complexity
Assigner
Impacted products
Vendor Product Version
fzf fzf Affected: 0 , < 0.73.1 (semver)
Create a notification for this product.
Credits
Michał Majchrowicz (AFINE Team) Marcin Wyczechowski (AFINE Team)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53433",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-30T13:32:32.210950Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T13:32:52.251Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "fzf",
          "programFiles": [
            "src/server.go"
          ],
          "repo": "https://github.com/junegunn/fzf",
          "vendor": "fzf",
          "versions": [
            {
              "lessThan": "0.73.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Micha\u0142 Majchrowicz (AFINE Team)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Marcin Wyczechowski (AFINE Team)"
        }
      ],
      "datePublic": "2026-06-30T12:01:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen \u003cspan style=\"background-color: rgba(221, 223, 228, 0.04);\"\u003emode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(n\u00b2)). A crafted POST request with many small segments can trigger excessive CPU usage during request handling.\u003c/span\u003eThis allows a single malicious request to monopolize the single\u2011threaded HTTP server, blocking all other clients and resulting in denial of service.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/span\u003eThis issue was fixed in version 0.73.1.\u003cbr\u003e"
            }
          ],
          "value": "fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(n\u00b2)). A crafted POST request with many small segments can trigger excessive CPU usage during request handling.This allows a single malicious request to monopolize the single\u2011threaded HTTP server, blocking all other clients and resulting in denial of service.\n\nThis issue was fixed in version 0.73.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407 Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T12:01:14.407Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/06/CVE-2026-53432"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/junegunn/fzf"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/junegunn/fzf/commit/7963a2c6586c0b9eaa89b8995de8f0e08cf8a4ce"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Denial of Service in fzf",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2026-53433",
    "datePublished": "2026-06-30T12:01:14.407Z",
    "dateReserved": "2026-06-09T11:41:37.126Z",
    "dateUpdated": "2026-06-30T13:32:52.251Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-53432 (GCVE-0-2026-53432)

Vulnerability from cvelistv5 – Published: 2026-06-30 12:01 – Updated: 2026-06-30 15:58 X_Open Source
VLAI?
Title
Integer Overflow in fzf
Summary
fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic. This issue was fixed in version 0.73.1.
CWE
  • CWE-190 - Integer Overflow or Wraparound
Assigner
Impacted products
Vendor Product Version
fzf fzf Affected: 0 , < 0.73.1 (semver)
Create a notification for this product.
Credits
Michał Majchrowicz (AFINE Team) Marcin Wyczechowski (AFINE Team)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53432",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-30T14:18:33.486018Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T15:58:16.427Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "32 bit"
          ],
          "product": "fzf",
          "programFiles": [
            "src/algo/algo.go"
          ],
          "programRoutines": [
            {
              "name": "FuzzyMatchV2"
            }
          ],
          "repo": "https://github.com/junegunn/fzf",
          "vendor": "fzf",
          "versions": [
            {
              "lessThan": "0.73.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Micha\u0142 Majchrowicz (AFINE Team)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Marcin Wyczechowski (AFINE Team)"
        }
      ],
      "datePublic": "2026-06-30T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "fzf is vulnerable to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInteger Overflow leading to crash in \u003ci\u003eFuzzyMatchV2\u003c/i\u003e function. When input line length is\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eapproximately 2,200,000 bytes and pattern length is 999 bytes, the product\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eoverflows.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe Go runtime detects the invalid slice bounds and terminates the\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eprocess immediately with a non-recoverable panic.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/span\u003eThis issue was fixed in version 0.73.1."
            }
          ],
          "value": "fzf is vulnerable to\u00a0Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is\u00a0approximately 2,200,000 bytes and pattern length is 999 bytes, the product\u00a0overflows.\u00a0The Go runtime detects the invalid slice bounds and terminates the\u00a0process immediately with a non-recoverable panic.\n\nThis issue was fixed in version 0.73.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T12:01:07.027Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/06/CVE-2026-53432"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/junegunn/fzf"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Integer Overflow in fzf",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2026-53432",
    "datePublished": "2026-06-30T12:01:07.027Z",
    "dateReserved": "2026-06-09T11:41:37.126Z",
    "dateUpdated": "2026-06-30T15:58:16.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}